[2018-07-25] Unknown->RigEK->SmokeLoader->ZeusPanda

July 25, 2018

Overview

Saz file is 2018-07-25_18-00-37.saz

(↓Analysis result using EKFiddle)

Malware

SmokeLoader

a85f9882b92d6714cf8a24b1f93a773ce9d16aced7b3fc8f2bef69d1cb956ea0
[Hybrid-Analysis] [VirusTotal]

ZeusPanda

5d8d681d912ff3a3cdf67eb699dbce67c2c48065f966f752347d8577ff00b0d8
[Hybrid-Analysis] [VirusTotal]

Traffic-Chain

http[:]//www.sobages.com
↓
[RIG Exploit Kit][Landing Page]
http[:]//188.225.26.251/?NTM3MzU4&ogsBiwIx&DAFtVORUjoEL=c2Vh&ZainuzDtvJ=c2My&rpYVgAgIe=Y2F0cw==&pgnbdgokdHaZHKE=Zmx5&wkLYCKqHqMXTmh=cmVzb3J0&XHVJdrJeAXza=c2hha2U=&rYreGvqDAjd=c3BvcnQ=&fd34g3f=x33QcvWYaRuPDojDM_jdSqFGMUzOGUeIwYqfmLDSF52ofzajz7eSEBzw6V6tSTvVgfdOKbZTIgeyiRqDOQY0n-FZEF5K8_6qkEKVyk6YwJ&CEIeDoyo=bWF0Y2h1cA==&HdlWeTAFyUBnL=c2Vh&IDMAZWmY=c2Vh&PVaKEecoj=Zmx5&taass4=Sy_kaOMw5M_JGWQbU421z2yrVAdMwkxhWA6mVTnu4YUV4T4AkamKrPFaLArkJ0U0YxVQvNepoupUjGVyThNT9wgvOLRAt2q-2K8rVw2ZQu
↓
[RIG Exploit Kit][SWF Payload]
http[:]//188.225.26.251/?NTk0NDkw&vADqJx&TRCEzLcEjtJAbH=c2Vh&MGxyMglZQDBUj=cmVzb3J0&oaQbhNfCAoRQzTq=bWF0Y2h1cA==&fd34g3f=xH3QMrXYbRzFFYHfKP_EUKZEMUvWA0KKwYqZha3VF5qxFDXGpbf1FxnspV6dCFmEmvdvdLYHIwCh1UHASwYy&AsIHgNkGcbwB=cmVzb3J0&KMgJNmJsBeGsz=Zmx5&HzcJqLLIjxeyrfr=Zmx5&qSFWqsWNaOPPCM=c2My&StBuYbgaFpuoQ=c2Vh&VNgWdvNjoqkc=c2hha2U=&WEnpAbqpQfSDaNk=c2hha2U=&taass4=zo1UUV5G9K2vi0KBzhKdgpOGrxGIZQlE9pGRF7Uy2lnyzLISJcgvkhKF4GVVz-ktVlkQ4Akamqr7VaKO-0NA&MAUeiCkWM=cmVzb3J0
↓
[RIG Exploit Kit][Malware Payload]
http[:]//188.225.26.251/?NDIxNzUz&yceTREJqzlUNWdK&DRpfaMATV=Y2F0cw==&zDusuKuL=c3BvcnQ=&laMmMmfIRuhv=cmVzb3J0&RqcrtZxBpDheGq=Zmx5&NGetZzyXBMHeIn=c2Vh&hqfGPci=Zmx5&ySIKKDwTInTljzd=c2My&nkYCjxuSiewEY=bWF0Y2h1cA==&fd34g3f=xHrQMrLYbRzFFYHfKP_EUKFEMUzWA0KKwYqZharVF5qxFDLGpbD1FxnspV6dCF6EmvBvdLEHIwCh1UbASwYyzo1&jFJMNNtdu=Zmx5&JmRVLieRZDV=Y2F0cw==&PzUBDoKjXx=cmVzb3J0&taass4=UUVlG9K2vi0KBzhWdgpOGrxaIZQ5E9paRF7Iy2lnyzLISJcgvkhWF4GVVz-ktW1kZ6A4alarCH6XAnUQtFEExYQ